After receiving the password reset email and clicking the "Click Here" hyperlink, user is returned to the "Expired or Forgotten Password" page instead of arriving at the page to enter the new password.
The link in the email contains a one-time token meaning that if anyone goes to that specific URL the link will no longer work and the user is redirected to the password reset request page instead. On investigating this issue, we have found that McAfee Antivirus contains a default setting called ClickProtect which validates the URL but at the same time expends the one-time token. Other antivirus software may have a similar feature.
Per McAfee's own discussion thread on the subject there is no global allow-list to add our domain and the Sender Allow list does not affect ClickProtect. The only solution they offer is to disable ClickProtect. Outside of that the only other solution we can offer is to have your Web Administrator update your account in the Member's Area and change your email address to an alternatice that would not be affected by ClickProtect (eg. a Gmail account). Our understanding is that McAfee intends to address this issue in a future release, but that update will be on that vendor's timeline which we cannot control or predict.
Other Possible Causes:
A similar problem has been observed by users of Internet Explorer 9. The recommended solution is to use an up-to-date version of an alternate browser such as Chrome or Firefox. Support for Internet Explorer 9 has been deprecated by Microsoft and only applies to a few older operating systems such as Windows Vista or Windows Server 2008.